Oracle® Fusion Middleware Administrator's Guide for Oracle Authentication Services for Operating Systems 11g Release 1 (11.1.1) Part Number E16454-02 |
|
|
PDF · Mobi · ePub |
If you have users in Active Directory, and you want to use the credentials stored in Active Directory for Linux or UNIX authentication, you can configure integration with Active Directory. Setting up integration with Active Directory requires several steps:
You use the Oracle Directory Integration Platform to synchronize user and group entries to Oracle Internet Directory when they are added to or changed in Active Directory.
You use an Oracle Internet Directory plug-in to add required attributes to the user and group entries in Oracle Internet Directory after they are synchronized from Active Directory to Oracle Internet Directory.
You use another Oracle Internet Directory plug-in to enable Active Directory authentication of Linux or UNIX users.
To secure communication, you configure SSL between Oracle Directory Integration Platform and Active Directory and between Oracle Directory Integration Platform and Oracle Internet Directory.
Note:
After you have synchronized users from Active Directory into Oracle Internet Directory, you can only change passwords through Active Directory. You must change the password in the Active Directory user entry, not the Oracle Internet Directory entry. If you change the password in Oracle Internet Directory or by using thepasswd
command, the change will appear to be successful but will not be propagated to the Active Directory entry. The password in the Active Directory user entry will remain in effect.This chapter contains the following sections:
User entries in Active Directory do not include key information required for Linux authentication. Therefore, when you synchronize users from Active Directory into Oracle Internet Directory by using the Active Directory connector of Oracle Directory Integration Platform, you must augment those user entries with the required information. To facilitate this, the product includes a PL/SQL plug-in that can be enabled on Oracle Internet Directory.
Enable the plug-in as follows:
Use a text editor to make the following changes to $
ORACLE_HOME
/ldap/admin/posixattr_when_add.pls
:
In line 71, replace the value of v_homeDirectory
with the desired home directory.
In line 72, replace the value of v_loginShell
with the desired login shell.
In line 73, replace the value of v_gidNumber
with the GID number of the users
Load the plug-in package into the database by typing:
sqlplus ods/odspwd@$ORACLE_HOME/ldap/admin/posixattr_when_add.pls
where odspwd
is the password of the ODS
user.
Use a text editor to make the following change in $ORACLE_HOME/ldap/admin/posixattr_when_add.ldif
: Replace the value of orclpluginsubscriberdnlist
with your realm's DN.
Add the plug-in to Oracle Internet Directory by running the following command:
ldapadd -h host -p port -D cn=orcladmin -q \ -f $ORACLE_HOME/ldap/admin/posixattr_when_add.ldif
Oracle Directory Integration Platform is documented in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform. The following procedure refers to that document in several places.
To enable Oracle Directory Integration Platform for Active Directory integration with Oracle Authentication Services for Operating Systems, perform these steps:
Verify the synchronization requirements, as described in "Verifying Synchronization Requirements," under "Configuring Synchronization with a Third-Party Directory," in Chapter 18 of the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform.
Create a synchronization profile by running expressSyncSetup
, as described in the section "Creating Import and Export Synchronization Profiles Using expressSyncSetup" in the chapter entitled "Creating Synchronization Profiles with Express Configuration" inOracle Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform.
Edit the profiles resulting from the express configuration. To understand mapping rules, see: "Configuring Mapping Rules," in Chapter 6 of the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform.
Make the following changes:
Change the domain rules to point to ou=People
under the realm DN: ou=People,<realm DN>
in Oracle Internet Directory.
Provide a DN mapping rule: uid=%,ou=People,<realm DN>
Comment out this line:
userPrincipalName: : :user:uid: :inetorgperson:userPrincipalName
Uncomment this line:
#sAMAccountName: : :user:uid: :inetorgperson
See the sample synchronization profile in Appendix D. The customizations are shown in boldface.
Continue with Steps 2-5 of "Creating Synchronization Profiles with Express Configuration," under "Configuring Synchronization with a Third-Party Directory," in Chapter 18 of the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform.
You must configure external authentication plug-ins for authenticating users synchronized from AD. The procedure for doing this is documented in the "Configuring External Authentication Plug-ins" section of Oracle Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform.